TLSv1.0 on OpenSSL 3.0-API
Yuko Doki (Fujitsu)
doki.yuko at fujitsu.com
Tue Apr 23 06:43:01 UTC 2024
Thank you for the information, Heikki.
I understood from the RedHat documentation you pointed out that no matter
what crypto policy I specify, I cannot use TLSv1.1 or earlier on RHEL9.
On the other hand, I have confirmed that connections using TLSv1.1 or earlier
are possible even on RHEL9 by using the package "compat-openssl11".
I suspect that this is not covered by the crypto policy.
I would like to report this with gratitude.
Kind regards,
Yuko Doki
-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Heikki Vatiainen
Sent: Monday, April 22, 2024 5:22 PM
To: openssl-users at openssl.org
Subject: Re: TLSv1.0 on OpenSSL 3.0-API (looking for answers)
On 22.4.2024 11.01, Yuko Doki (Fujitsu) via openssl-users wrote:
> I have not configured any providers, so the default provider will be used.
>
> When using RedHat Linux distribution, "@SECLEVEL=0" did not seem to work.
> The versions are as follows.
> OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
> Will changing the provider in the file "openssl.cnf" have any effect?
>
> I also tried with OpenSSL built from the source downloaded from "https://www.openssl.org/source/", on Solaris.
> This time, adding "@SECLEVEL=0" was effect, the TLS1.0 connection was successful.
> The versions are as follows.
> OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
>
> This problem seems to occur only in the RedHat distribution, so it might be better to ask RedHat.
See RedHat documentation about their system-wide crypto policies:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
There's, for example, a table that tells that TLSv1.1 and earlier are
not enabled by default. With RHEL 8 they could be enabled, but with 9 it
seems the can not. Even with command 'update-crypto-policies' it appears
not possible to enable TLSv1.0.
Please let us know how it goes,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the openssl-users
mailing list